1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
$NetBSD: patch-ad,v 1.2 2006/03/02 21:03:39 wiz Exp $
--- server.c.orig 2005-09-16 12:17:59.000000000 +0200
+++ server.c
@@ -208,7 +208,7 @@ long ts;
int pid;
pid=getpid();
-GetPeerIp(s,ip,buff);
+GetPeerIp(s,ip,BLEN,buff,BLEN);
//
// We check if this IP is authorized to connect to us
@@ -261,21 +261,34 @@ while(1==1)
// Now, we are sure our buffer string length is no more than BLEN
// as all parameters are defined also as buffers with a BLEN size
// no buffer overflow is possible using strcpy .
+ // But what's the point. Protect it anyway.
//
if(strcmp(buff,"")==0) break;
if(strncmp(buff,"request=",8)==0)
- strcpy(request,buff+8);
+ {
+ strncpy(request,buff+8, sizeof(request)-1);
+ request[sizeof(request)-1] = '\0';
+ }
if(strncmp(buff,"sender=",7)==0)
- strcpy(sender,buff+7);
+ {
+ strncpy(sender,buff+7, sizeof(sender)-1);
+ sender[sizeof(sender)-1] = '\0';
+ }
if(strncmp(buff,"recipient=",10)==0)
- strcpy(recipient,buff+10);
+ {
+ strncpy(recipient,buff+10, sizeof(recipient)-1);
+ recipient[sizeof(recipient)-1] = '\0';
+ }
if(strncmp(buff,"client_address=",15)==0)
- strcpy(ip,buff+15);
+ {
+ strncpy(ip,buff+15,sizeof(ip)-1);
+ ip[sizeof(ip)-1] = '\0';
+ }
}
@@ -300,7 +313,11 @@ Quote(sender);
// Now, we can safely use, str** functions
//
-if(sender[0]==0) strcpy(sender,"void@void");
+if(sender[0]==0)
+ {
+ strncpy(sender,"void@void",sizeof(sender)-1);
+ sender[sizeof(sender)-1] = '\0';
+ }
if(strcmp(request,REQ)!=0 || recipient[0]==0 || ip[0]==0)
{
|
